Network Working Group W. Dec, Ed.
Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track B. Sarikaya
Expires: August 16, 2013 Huawei USA
G. Zorn
Network Zen
D. Miles
Google
B. Lourdelet
Juniper Networks
February 12, 2013
RADIUS attributes for IPv6 Access Networksdraft-ietf-radext-ipv6-access-16
Abstract
This document specifies additional IPv6 RADIUS attributes useful in
residential broadband network deployments. The attributes, which are
used for authorization and accounting, enable assignment of a host
IPv6 address and IPv6 DNS server address via DHCPv6; assignment of an
IPv6 route announced via router advertisement; assignment of a named
IPv6 delegated prefix pool; and assignment of a named IPv6 pool for
host DHCPv6 addressing.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 16, 2013.
Dec, et al. Expires August 16, 2013 [Page 1]

Internet-Draft RADIUS IPv6 Access February 2013
In the depicted scenario the NAS may utilize an IP address
configuration protocol (e.g. a DHCPv6 server) to handle address
assignment to RGs/hosts. The RADIUS server authenticates each RG/
host and returns to the attributes used for authorization and
accounting. These attributes can include a host's IPv6 address, a
DNS server address and a set of IPv6 routes to be advertised via any
suitable protocol, eg ICMPv6 (Neighbour Discovery). The name of a
prefix pool to be used for DHCPv6 Prefix Delegation, or the name of
an address pool to be used for DHCPv6 address assignment can also be
attributes provided to the NAS by the RADIUS AAA server.
The following sub-sections discuss how these attributes are used in
more detail.
2.1. IPv6 Address Assignment
DHCPv6 [RFC3315] provides a mechanism to assign one or more non-
temporary IPv6 addresses to hosts. To provide a DHCPv6 server
residing on a NAS with one or more IPv6 addresses to be assigned,
this document specifies the Framed-IPv6-Address Attribute.
While [RFC3162] permits an IPv6 address to be specified via the
combination of the Framed-Interface-Id and Framed-IPv6-Prefix
attributes, this separation is more natural for use with PPP's IPv6
Control Protocol than it is for use with DHCPv6, and the use of a
single IPv6 address attribute makes for easier processing of
accounting records.
Since DHCPv6 can be deployed on the same network as ICMPv6 stateless
(SLAAC) [RFC4862], it is possible that the NAS will require both
stateful and stateless configuration information. Therefore it is
possible for the Framed-IPv6-Address, Framed-IPv6-Prefix and Framed-
Interface-Id attributes [RFC3162] to be included within the same
packet. To avoid ambiguity in this case, the Framed-IPv6-Address
attribute is intended for authorization and accounting of DHCPv6-
assigned addresses and the Framed-IPv6-Prefix and Framed-Interface-Id
attributes used for authorization and accounting of addresses
assigned via SLAAC.
2.2. DNS Servers
DHCPv6 provides an option for configuring a host with the IPv6
address of a DNS server. The IPv6 address of a DNS server can also
be conveyed to the host using ICMPv6 with Router Advertisements, via
the [RFC6106] option. To provide the NAS with the IPv6 address of a
DNS server, this document specifies the DNS-Server-IPv6-Address
Attribute.
Dec, et al. Expires August 16, 2013 [Page 4]

Internet-Draft RADIUS IPv6 Access February 20132.3. IPv6 Route Information
An IPv6 Route Information option, defined in [RFC4191] is intended to
be used to inform a host connected to the NAS that a specific route
is reachable via any given NAS.
This document specifies the RADIUS attribute that allows the AAA
server to provision the announcement by the NAS of a specific Route
Information Option to an accessing host. The NAS may advertise this
route using the method defined in [RFC4191], or using other
equivalent methods. Any other information, such as preference or
life-time values, that is to be present in the actual announcement
using a given method is assumed to be determined by the NAS using
means not scoped by this document (e.g. Local configuration on the
NAS).
While the Framed-IPv6-Prefix attribute defined in [RFC3162] Section2.3 causes the route to be advertised in an RA, it cannot be used to
configure more specific routes. While the Framed-IPv6-Route
attribute defined in [RFC3162] Section 2.5 causes the route to be
configured on the NAS, and potentially announced via an IP routing
protocol, depending on the value of Framed-Routing, it does not
result in the route being announced in an RA.
2.4. Delegated IPv6 Prefix Pool
DHCPv6 Prefix Delegation (DHCPv6-PD) [RFC3633] involves a delegating
router selecting a prefix and delegating it on a temporary basis to a
requesting router. The delegating router may implement a number of
strategies as to how it chooses what prefix is to be delegated to a
requesting router, one of them being the use of a local named prefix
pool. The Delegated-IPv6-Prefix-Pool attribute allows the RADIUS
server to convey a prefix pool name to a NAS hosting a DHCPv6-PD
server and acting as a delegating router.
Since DHCPv6 Prefix Delegation can be used with SLAAC on the same
network, it is possible for the Delegated-IPv6-Prefix-Pool and
Framed-IPv6-Pool attributes to be included within the same packet.
To avoid ambiguity in this scenario, use of the Delegated-IPv6-
Prefix-Pool attribute should be restricted to authorization and
accounting of prefix pools used in DHCPv6 Prefix Delegation and the
Framed-IPv6-Pool attribute should be used for authorization and
accounting of prefix pools used in SLAAC.
2.5. Stateful IPv6 address pool
DHCPv6 [RFC3315] provides a mechanism to assign one or more non-
temporary IPv6 addresses to hosts. Section 3.1 introduces the
Dec, et al. Expires August 16, 2013 [Page 5]

Internet-Draft RADIUS IPv6 Access February 2013
Framed-IPv6-Address attribute to be used for providing a DHCPv6
server residing on a NAS with one or more IPv6 addresses to be
assigned to the clients. An alternative way to achieve a similar
result is for the NAS to select the IPv6 address to be assigned from
an address pool configured for this purpose on the NAS. This
document specifies the Stateful-IPv6-Address-Pool attribute to allow
the RADIUS server to convey a pool name to be used for such stateful
DHCPv6 based addressing, and any subsequent accounting.
3. Attributes
The fields shown in the diagrams below are transmitted from left to
right.
3.1. Framed-IPv6-Address
This attribute indicates an IPv6 address that is assigned to the NAS-
facing interface of the RG/host. It MAY be used in Access-Accept
packets, and MAY appear multiple times. It MAY be used in an Access-
Request packet as a hint by the NAS to the RADIUS server that it
would prefer these IPv6 address(es), but the RADIUS server is not
required to honor the hint. Since it is assumed that the NAS will
add a route corresponding to the address, it is not necessary for the
RADIUS server to also send a host Framed-IPv6-Route attribute for the
same address.
This attribute can be used by a DHCPv6 process on the NAS to assign a
unique IPv6 address to the RG/host.
A summary of the Framed-IPv6-Address attribute format is shown below.
The format of the address is as per [RFC3162].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Dec, et al. Expires August 16, 2013 [Page 6]

Internet-Draft RADIUS IPv6 Access February 2013
Type
TBA1 for Framed-IPv6-Address
Length
18
Address
The IPv6 address field contains a 128-bit IPv6 address.
3.2. DNS-Server-IPv6-Address
The DNS-Server-IPv6-Address attribute contains the IPv6 address of a
DNS server. This attribute MAY be included multiple times in Access-
Accept packets, when the intention is for a NAS to announce more than
one DNS server addresses to a RG/host. The same order of the
attributes is expected to be followed in the announcements to the
RADIUS client. The attribute MAY be used in an Access-Request packet
as a hint by the NAS to the RADIUS server regarding the DNS IPv6
address, but the RADIUS server is not required to honor the hint.
The content of this attribute can be inserted in a DHCPv6 option as
specified in [RFC3646] or in an IPv6 Router Advertisment as per
[RFC6106].
A summary of the DNS-Server-IPv6-Address attribute format is given
below. The format of the address is as per [RFC3162].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Dec, et al. Expires August 16, 2013 [Page 7]

Internet-Draft RADIUS IPv6 Access February 2013
Type
TBA2 for DNS-Server-IPv6-Address
Length
18
Address
The 128-bit IPv6 address of a DNS server.
3.3. Route-IPv6-Information
This attribute specifies a prefix (and corresponding route) for the
user on the NAS, which is to be announced using the Route Information
Option defined in "Default Router Preferences and More Specific
Routes" [RFC4191] Section 2.3. It is used in the Access-Accept
packet and can appear multiple times. It MAY be used in an Access-
Request packet as a hint by the NAS to the RADIUS server, but the
RADIUS server is not required to honor the hint. The Route-IPv6-
Information attribute format is depicted below. The format of the
prefix is as per [RFC3162].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Prefix (variable) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA3 for Route-IPv6-Information
Length
Length in bytes. At least 4 and no larger than 20; typically 12
or less.
Dec, et al. Expires August 16, 2013 [Page 8]

Internet-Draft RADIUS IPv6 Access February 2013
Prefix Length
8-bit unsigned integer. The number of leading bits in the prefix
that are valid. The value ranges from 0 to 128. The prefix field
is 0, 8 or 16 octets depending on Length.
Prefix
Variable-length field containing an IP prefix. The prefix length
field contains the number of valid leading bits in the prefix.
The bits in the prefix after the prefix length (if any) are
reserved and MUST be initialized to zero.
3.4. Delegated-IPv6-Prefix-Pool
This attribute contains the name of an assigned pool that SHOULD be
used to select an IPv6 delegated prefix for the user on the NAS. If
a NAS does not support prefix pools, the NAS MUST ignore this
attribute. It MAY be used in an Access-Request packet as a hint by
the NAS to the RADIUS server regarding the pool, but the RADIUS
server is not required to honor the hint.
A summary of the Delegated-IPv6-Prefix-Pool attribute format is shown
below.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA4 for Delegated-IPv6-Prefix-Pool
Length
Length in bytes. At least 3.
String
The string field contains the name of an assigned IPv6 prefix pool
configured on the NAS. The field is not NULL (hexadecimal 00)
terminated.
Note: The string data type is as documented in [RFC6158], and carries
binary data that is external to the Radius protocol, eg the name of a
pool of prefixes configured on the NAS.
Dec, et al. Expires August 16, 2013 [Page 9]

Internet-Draft RADIUS IPv6 Access February 20133.5. Stateful-IPv6-Address-Pool
This attribute contains the name of an assigned pool that SHOULD be
used to select an IPv6 address for the user on the NAS. If a NAS
does not support address pools, the NAS MUST ignore this attribute.
A summary of the Stateful-IPv6-Address-Pool attribute format is shown
below. It MAY be used in an Access-Request packet as a hint by the
NAS to the RADIUS server regarding the pool, but the RADIUS server is
not required to honor the hint.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA5 for Stateful-IPv6-Address-Pool
Length
Length in bytes. At least 3.
String
The string field contains the name of an assigned IPv6 stateful
address pool configured on the NAS. The field is not NULL
(hexadecimal 00) terminated.
Note: The string data type is as documented in [RFC6158], and carries
binary data that is external to the Radius protocol, eg the name of a
pool of addresses configured on the NAS.
3.6. Table of attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. The optional
inclusion of the options in Access Request messages is intended to
allow for a network access server (NAS) to provide the RADIUS server
with a hint of the attributes in advance of user authentication,
which may be useful in cases where a user re-connects or has a static
address. The server is under no obligation to honor such hints.
Dec, et al. Expires August 16, 2013 [Page 10]